http://www.soemailsecurity.com/, https://apps.apple.com/app/id6756896070, https://play.google.com/store/apps/details?id=

SO Email Security, Toronto, ON (2026)

06/01/2026

Your email filter just let a $123,000 mistake through.
Invoice phishing does not spike at quarter end. It runs every single week because your accounts payable team processes invoices every single week. Hoxhunt tracked 50 million phishing attempts across four million users and found invoice scams in the top two attack categories every quarter without exception. The FBI logged $3.046 billion in BEC losses in 2025. Average loss per incident: $123,000.
Here is why your filter missed it.
The email had no malicious link. The attachment was a PDF from a vendor you already pay. The sender display name matched exactly. The sending address was one character off the real domain. Nobody checked. Nobody checks when seventeen invoices need clearing before noon and everything looks routine.
The PDF contained one thing: the wrong bank account number. Your filter had nothing to flag. The payment processed. The money went to a stranger.
One habit stops most of it. Any change to payment details gets verified on a phone number already in your contacts before that email arrived. Not the number in the email. A number you already knew. This single policy closes the gap no filter can fully close.
Ṣọ Mail catches the sending address mismatch and the invoice redirect pattern before the email ever reaches your inbox. Not after you open it. Before it arrives. Free on iOS and Android.

Download Ṣọ Mail at soemailsecurity.com. No credit card. No tech setup.
Save this and send it to whoever handles payments in your business.
Encrypted processing. Zero retention. Ṣọ Mail never retains your email content.

06/01/2026

Attackers do not take the first of the month off.
June starts the same way May ended. Invoices moving. Payment requests landing. Vendor emails arriving. And somewhere in that volume, one email that looks exactly like the rest but is not.
This is not a dramatic attack. It does not announce itself. It looks like a routine message from someone you already trust, arriving at the moment you are busiest and least likely to check twice.
One click on the wrong email can redirect a payment, hand over login credentials, or compromise a client relationship you spent years building. For freelancers and small businesses, there is no IT department to catch it after the fact.
Ṣọ Mail flags the threat before it reaches you. Sending address mismatches, lookalike domains, invoice redirect patterns, phishing signals. All caught before anyone on your team has to make a judgment call under pressure.
Start June with a safer inbox. Free at soemailsecurity.com. No credit card, no tech setup.
Save this and send it to someone running a small business. 👇
Encrypted in. Encrypted out. Nothing kept in the middle.

05/27/2026

Every phishing email that works is built from the same 7 structural elements.
Not the same words. The same blueprint.
Here is what those 7 elements are and what each one is doing to you:

Trusted sender identity. The display name is right. The sending address is not. Your brain reads the name and stops there.
Plausible pretext. The email references something you are already expecting or worried about. It does not need to be original. It needs to feel relevant to you right now.
Manufactured urgency. Urgency eliminates the time you need to verify. Delay is made to feel like the greater risk.
Authority signal. A CEO, a government agency, legal language, a compliance deadline. Authority makes compliance feel like the correct, professional response.
Single required action. Click. Call. Scan. Open. One thing. Simple enough that it does not feel suspicious.
Friction-reduced path. The link goes straight to a page that looks exactly like the real site. The barrier to compliance is as low as possible.
Cover story for anomalies. This is the most dangerous one. The email explains, in advance, why something feels unusual. By the time your brain registers the anomaly, the explanation is already waiting.

82.6% of phishing emails now contain AI-generated elements. The visual tells are gone. The structure is not.
Ṣọ analyses the structural signals behind every email before it reaches your inbox. Free to start at soemailsecurity.com
Save this and share it with your team.
AI-powered protection, zero data retention. That is the Ṣọ promise.

05/22/2026

The email said it came from Google. It passed every security check. It still stole 30,000 Facebook business accounts.
Researchers this month exposed a phishing operation run by a Vietnamese-linked group that found a way to send phishing emails through Google’s own infrastructure. They used a legitimate Google tool called AppSheet, which allows the sender name on outgoing emails to be customised. The sending address looked exactly like a real Google notification. Technically, it was one.
The emails warned recipients about Facebook policy violations and copyright complaints. Urgent language. Official branding. A link to resolve the issue immediately.
That link went to a credential harvesting page. Victims logged in thinking they were verifying their Facebook account. The attackers took their credentials and walked away with their pages, advertising accounts, and business profiles. Those accounts are now being resold or used to run fraudulent ad campaigns at scale.
30,000 accounts. The campaign is still active.
Here is what this means for anyone who runs a page or a business that depends on social media.
Standard email security checks the sender. It asks: is this address real, is the domain authenticated, does the infrastructure match? For this attack, every answer came back clean. Because the infrastructure was genuinely Google’s.
The check that would have stopped it is different. It is not about who sent the email. It is about where the link inside actually goes.
Ṣọ analyses link destinations and email content regardless of how the sending address looks. A redirect that ends at a credential harvester is flagged before you click, even when the email originated from a trusted platform.
Free to start at soemailsecurity.com. No credit card, no tech setup required.
Save this. Every business with a page needs to see it. 👇
Protecting your inbox without ever reading it.

05/18/2026

A dangerous email does not always need a bad link.

Sometimes, the trap is hidden in the Reply-To address.

The sender may look trusted, but your reply could go to an attacker.

Before you reply, approve, or pay, check first.

ṢỌ Email Security.
One engine. Every threat in email.

05/14/2026

An Israeli startup lost $1M to a single typo. Not their typo. The attacker’s.
In 2019, a Chinese VC firm wired $1M in seed funding to what they believed was an Israeli startup. The money never arrived.
The attacker hadn’t compromised either email account or deployed malware. They had registered two lookalike domains, one for each side of the transaction, each with one extra letter at the end. Every email went to the attacker first, who edited the content and forwarded it onward.
Two parties having a conversation through a translator who happened to be a thief.
Why SPF, DKIM, and DMARC don’t catch this:
Authentication standards detect spoofing of YOUR domain. They cannot detect a DIFFERENT domain that looks similar. The attacker configures these on their own lookalike domain. All three pass cleanly.
Five attack variants:
→ Typosquatting (gooogle.com, amaz0n.com)
→ Character substitution (rn for m, 0 for o)
→ Homoglyph attacks (Cyrillic chars that look identical to Latin)
→ Combo-squatting (paypal-secure.com)
→ TLD substitution (paypal.co instead of paypal.com)
The verification habit that catches them:

Inspect the FULL sender address, not the display name
Look for extra letters, character swaps, alternate TLDs
For financial requests, phone-verify at a number you already have
Establish vendor verification protocols up front
Use automated lookalike domain detection

Documented cases: Florentine Banker hit 3 British PE firms for $1.3M in 2020. Holland & Knight sued for $3M wire fraud. Zscaler analyzed 30K lookalike domains in 2024 and found 10K+ active.
Five minutes of phone verification beats five hundred thousand dollars of fraud.
Save this. Send it to your AP team and anyone who handles wires.
For automated detection at the email layer, install Ṣọ at soemailsecurity.com. Free tier covers Engine 01 Identity.
We earn revenue from subscriptions, never from your data.

05/13/2026

An Israeli startup lost $1M to a single typo. Not their typo. The attacker's.
In 2019, a Chinese VC firm wired $1M in seed funding to what they believed was an Israeli startup. The money never arrived.
The attacker hadn't compromised either email account or deployed malware. They had registered two lookalike domains, one for each side of the transaction, each with one extra letter at the end. Every email went to the attacker first, who edited the content and forwarded it onward.
Two parties having a conversation through a translator who happened to be a thief.
Why SPF, DKIM, and DMARC don't catch this:
Authentication standards detect spoofing of YOUR domain. They cannot detect a DIFFERENT domain that looks similar. The attacker configures these on their own lookalike domain. All three pass cleanly.
Five attack variants:
→ Typosquatting (gooogle.com, amaz0n.com)
→ Character substitution (rn for m, 0 for o)
→ Homoglyph attacks (Cyrillic chars that look identical to Latin)
→ Combo-squatting (paypal-secure.com)
→ TLD substitution (paypal.co instead of paypal.com)
The verification habit that catches them:

Inspect the FULL sender address, not the display name
Look for extra letters, character swaps, alternate TLDs
For financial requests, phone-verify at a number you already have
Establish vendor verification protocols up front
Use automated lookalike domain detection

Documented cases: Florentine Banker hit 3 British PE firms for $1.3M in 2020. Holland & Knight sued for $3M wire fraud. Zscaler analyzed 30K lookalike domains in 2024 and found 10K+ active.
Five minutes of phone verification beats five hundred thousand dollars of fraud.
Save this. Send it to your AP team and anyone who handles wires.
For automated detection at the email layer, install Ṣọ at soemailsecurity.com. Free tier covers Engine 01 Identity.
We earn revenue from subscriptions, never from your data.

05/07/2026

If you have Ṣọ Mobile installed, you have a free QR safety scanner.
Most users have never opened it.
QR-based phishing attacks tripled between 2023 and 2024. Most of them succeed on mobile because that's where verification is hardest. The QR code hides the destination URL until you've already scanned. By then, your phone is already on a fake login page or a credential-harvesting form.
The Ṣọ Mobile app has a built-in QR Code Safety Scanner that catches this. Free tier covers it. Most people have just never tapped the icon.
How to find it: open the app, tap the QR scanner icon on the main menu.
Two ways to use it. Point your phone camera at any QR code. Or upload an image of a QR code someone sent you. Either way, the verdict comes back in seconds: Safe, Suspicious, Dangerous, or Unknown. With a "why we flagged this" explanation showing the specific signals that contributed.
What the scanner checks:
URL pattern analysis. Is the destination a lookalike domain, a recently registered host, or a known phishing infrastructure?
Domain reputation across multiple threat intelligence feeds (Google Safe Browsing, PhishTank, OpenPhish, more).
Redirect chain inspection. Many phishing QR codes use URL shorteners or dynamic QR services to hide the final destination. The scanner follows the chain and reports every hop.
Subdomain tricks. Patterns like "login.microsoft.com.attacker.com" where the real domain is hidden behind a fake-looking subdomain.
Typosquatting and homoglyphs. Lookalike domains using character substitution. "rn" mimicking "m". "0" instead of "o". Cyrillic characters that visually match Latin ones.
File download flags. If the destination is a direct file download (.apk, .exe, .zip, .pdf, .html), the scanner flags it. Catches a common QR scam pattern where the user expects a website but gets a malware payload.
Beyond URLs, the scanner also handles vCard contact files, Wi-Fi connection codes, app deep links, and payment QR codes (Venmo, CashApp, mobile banking).
How it works architecturally: when you scan, the content goes to Ṣọ servers via HTTPS/TLS, gets analyzed in seconds, gets deleted. Same architecture as Ṣọ Mail. Encrypted in transit, zero retention, no human access, no training on user submissions. We're not claiming "on-device" because the scanner uses our threat intelligence infrastructure on Ṣọ servers. The privacy property is zero retention, not local processing.
Three audiences who especially benefit:
Anyone paying at parking meters or scanning restaurant menus. Public QR codes are the highest-volume quishing surface today.
Anyone handling invoices, payments, or vendor relationships. A fraudulent QR code that redirects payment to an attacker-controlled account is one of the highest-loss attack patterns for small businesses.
Anyone helping older relatives or non-technical colleagues verify suspicious QR codes.
If you've only used Ṣọ for inbox protection, this is the next high-leverage capability to add to your habits.
Five seconds of verification beats five hours of fraud recovery.
iOS: apps.apple.com/us/app/so-mail/id6756896070
Android: play.google.com/store/apps/details?id=com.app.somail
If you don't have Ṣọ Mobile yet, the Free tier covers QR scanning, dark web breach monitoring, and email threat detection. No credit card. 60-second signup.
The most useful feature in your email security app might be the one you've never tapped.

05/06/2026

That Cinco de Mayo promo email in your inbox right now might not be from the brand you think it's from.
Phishing attempts spike 30 to 50 percent during major retail moments. Cinco de Mayo, Black Friday, Mother's Day, Memorial Day. The pattern repeats every year. Real brands send real promos. Attackers send fake versions. Inboxes are too full to scrutinize each one carefully.
Four seasonal scam patterns account for most successful campaigns:
The lookalike brand promo. Sender domain is a slight variation of the real brand (targét.com instead of target.com). Body uses official logos and colors copied from legitimate marketing emails. Lands you on a credential-harvesting page.
The exclusive offer requiring login. Discount or free item that requires login to claim. The login page is fraudulent. Captured credentials get used directly or sold on credential markets.
The fake order confirmation. Email claims a recent order has been placed, often for a high-dollar item. The "review the order" or "cancel if unauthorized" link routes to a fraudulent page.
The shipping delay notice. Email claims a recent purchase has been delayed and requires "shipping detail verification" or "a small adjustment fee." The fraudulent page captures payment details.
Five signals catch most of them. Domain mismatch. Login for a generic offer. Manufactured urgency tighter than the brand's normal patterns. Discount larger than the brand normally offers. Image-only content with little text.
A legitimate seasonal promo passes all five. A fraudulent one typically fails at least two.
Mobile inboxes make this worse because verification friction is higher on phones. The sender domain is hidden, the URL is harder to inspect, the screen is smaller.
The defense scales through automated detection at the email layer plus the habit of navigating directly to retailers when an offer interests you. Don't click links from promotional emails. Type the brand's address manually. Look for the offer on the actual site.
Save this for every retail moment this year, not just Cinco de Mayo.
Don't let a fake promo cost you a credit card. Install Ṣọ in 2 minutes: soemailsecurity.com.
We earn revenue from subscriptions, never from your data.

04/30/2026

QR phishing attempts doubled in 2024. The reason isn’t technical sophistication. It’s that quishing exploits a structural gap between how email filters work and how mobile work actually happens.

Traditional email security tools were built to scan text and links. They look for suspicious URLs in the body, expand shortened links, check attachments against malware signatures. The QR code is none of those things. It is an image, and inside the image is a URL that no link scanner ever sees.

The attack pattern is consistent. A QR code gets embedded in an email as an image. The body says “Scan to view your invoice” or “Scan to verify your account.” Your email filter scans the email and finds nothing. You open the email on your phone, see the QR code, and reach for the camera. The phone scans. The browser opens. Credentials get harvested.

The handoff from corporate device to personal phone is the entire point. By the time the URL is on your phone screen, you are off corporate infrastructure and the attacker has won.

Five quishing patterns account for most successful attacks. Microsoft 365 verification on lookalike domains. DocuSign or Adobe Sign document signing pages. Parking meter and invoice payment stickers. Office lobby visitor check-in QR codes. Shipping notification “redelivery fee” pages.

The defense has to live at the email level. Before you reach for your phone. Ṣọ extracts every embedded image from your email, detects QR codes, decodes them server-side, runs the URL through threat intelligence, and returns the verdict before you scan.

Three behavioral rules complement technical scanning. Never scan unverified QR codes from email. Disable automatic QR opening on phones. For high-risk roles like finance, route email to desktop-first review when QR codes are involved.

Save this for anyone on your team who handles email on mobile. Send it to your finance lead.

We earn revenue from subscriptions, never from your data.

Try Ṣọ free at soemailsecurity.com. Link in bio.

Cybersecurity

SO Email Security

06/01/2026

06/01/2026

05/27/2026

05/22/2026

05/18/2026

05/14/2026

05/13/2026

05/07/2026

05/06/2026

04/30/2026

Address

Website

Alerts

Shortcuts

Share

Category